Every time you open a marketing email, there’s a good chance that certain information is automatically sent back to the sender: the exact time it was read, the type of device used, and sometimes your approximate location. This mechanism, known as a “tracking pixel,” relies on a 1-pixel-by-1-pixel image—invisible to the naked eye—embedded in the body of the message. As soon as it loads, it triggers a request to a remote server that records the event and the associated metadata.
The practice has been around for a long time, but it has become so commonplace (in newsletters, marketing campaigns, and automated follow-up sequences) that the CNIL has ended up receiving a growing number of complaints from users who were completely unaware of its existence.
It was in this context that the authority published, on April 14, 2026, the final version of its recommendations on tracking pixels in emails, following a public consultation launched in June 2025. This document warrants careful reading, as it clarifies a legal framework that many companies still apply only loosely.
A dual legal basis that is often overlooked
The first common mistake is to approach tracking pixels by relying solely on the GDPR. This is insufficient. The applicable legal framework is based on the interplay between two distinct pieces of legislation, which the CNIL’s recommendation specifically clarifies.
The first is the ePrivacy Directive, transposed into French law by Article L.34-5 of the Code of Posts and Electronic Communications. Article 5(3) requires prior consent for any access to information stored on a user’s device, or for any storage of information on that device. However, loading a tracking pixel constitutes precisely such access: it reads data from the recipient’s device at the moment of opening. It is therefore the ePrivacy Directive that applies first and foremost, regardless of any marketing purpose.
The second is the GDPR, which applies whenever the data collected in this manner (IP address, timestamp, email address) constitutes personal data and is subject to processing. The two frameworks apply concurrently: obtaining consent under the ePrivacy Directive does not exempt one from complying with the GDPR’s requirements regarding the legal basis for processing, informing individuals, and data retention periods.
Consent or exemption: a distinction that brooks no ambiguity
The recommendation distinguishes between two situations, and this distinction lies at the heart of the practical challenges facing businesses.
In principle, the use of a tracking pixel requires the recipient’s prior and informed consent. This consent must be freely given, specific to the intended purpose, and revocable at any time through an accessible mechanism included in each communication. A pre-checked box, a statement buried in a privacy policy, or implied consent simply by opening the message do not meet these requirements.
An exemption exists, but its conditions are strictly cumulative: the purpose must be purely technical, the data collected must be limited to what is strictly necessary, and its use may under no circumstances contribute to secondary processing—whether for personalization, behavioral profiling, or triggering automated sequences. In practical terms, the CNIL permits measuring, without consent, the deliverability of a transactional email related to a service expressly requested, or identifying clearly inactive contacts for the sole purpose of list cleaning. As soon as the pixel is used for any other purpose (e.g., calculating a simple open rate for campaign optimization), the exemption no longer applies and the consent requirement takes precedence.
This is precisely where the risk lies for most companies: many believe they fall under the technical exemption, whereas their actual practices—such as scoring, retargeting, and personalizing the next message—unequivocally place them within the scope of mandatory consent.
B2B is not a free zone
There is a common misconception that needs to be dispelled. Some marketing teams believe that B2B prospecting is exempt from the requirements of the GDPR and, by extension, those of the ePrivacy Directive. This is a misunderstanding that needs to be clarified.
It is true that B2B marketing may, under certain conditions, rely on legitimate interest as a legal basis under the GDPR. However, this relative tolerance applies only to the act of sending the message. It does not extend to tracking: once a pixel is embedded in the email, the ePrivacy rules apply without distinction, whether the address is generic or personalized, such as jean.dupont@entreprise.fr. The latter constitutes personal data within the meaning of the GDPR, and its processing via a tracking pixel does not benefit from any exemption specific to the professional context.
Tangible impacts on marketing performance
Beyond the legal implications, this recommendation has direct operational consequences that marketing teams would be wise not to underestimate. The traditional metrics on which much of campaign management relies (open rates, read heat maps, conditional follow-up sequences) mostly require individual tracking of user behavior. Yet it is precisely this tracking that now requires explicit consent.
Companies that fail to review their tools therefore face a double penalty: a growing legal risk as the CNIL steps up its oversight in this area, and a gradual deterioration in the quality of their data if non-compliant practices lead to the invalidation of their contact database. In this regard, it is significant that in recent years the CNIL has imposed substantial penalties on entities in various sectors for violations related to trackers and lack of consent, and that it has expressly announced inspections in the months following the publication of this recommendation.
What this means in practice
For new campaigns, compliance is immediate: consent for tracking must be obtained at the time the email address is collected, documented in a way that can be verified at any time, and accompanied by a simple opt-out option. For existing databases, the CNIL does not require retroactive consent, but does require that the affected contacts be notified within three months.
In practice, this involves auditing existing email marketing tools to identify active tracking pixels and their actual purposes, reviewing consent collection procedures, updating privacy notices, and documenting all of this in the data processing register.
Updating compliance: a manageable task, provided it is properly organized
This recommendation on tracking pixels highlights a broader reality: GDPR compliance is not a status that is achieved once and for all. It evolves in step with legislation, CNIL decisions, and digital practices, and it requires regular, methodical, and documented updates.
That is precisely the purpose of the guide ID Réflex GDPR : to provide professionals with a practical tool to establish or update their compliance without getting lost in legal complexity, using a hands-on approach that spans from the initial audit to the implementation of procedures. Because robust compliance isn’t built in the rush of an announced audit, but through the consistency of a well-equipped process